Check-in [74d7607e3c]
Overview
Comment:Fixed issue with NULL tags found with AFL fuzzing
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 74d7607e3c424610f674dd55ccecfc73aca21985
User & Date: rkeene on 2015-07-24 15:10:49
Other Links: manifest | tags
Context
2015-07-24
15:11
Better cleanup now that we exclude some bytes in debug printing buffer check-in: 75b2699549 user: rkeene tags: trunk
15:10
Fixed issue with NULL tags found with AFL fuzzing check-in: 74d7607e3c user: rkeene tags: trunk
04:11
Further failure to free on error repaired and start of AFL testing code added. check-in: 8299a1c4f7 user: rkeene tags: trunk
Changes

Modified asn1-x509.c from [f9aa197383] to [6a950ab433].

66
67
68
69
70
71
72
73
74
75
76
77
78




79
80




81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

98
99
100
101
102
103
104
105
106
107
108
109

110



111
112
113
114
115
116
117
66
67
68
69
70
71
72



73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116

117
118
119
120
121
122
123
124
125
126







-
-
-



+
+
+
+


+
+
+
+

















+












+
-
+
+
+







	}

	buf_p = buf;

	outbuf->tag = *buf_p;
	buf_p++;
	buflen--;
	if (buflen == 0) {
		return(-1);
	}

	/* NULL Tag -- no size is required */
	if (outbuf->tag == 0x00) {
		outbuf->size = 0;
		outbuf->asn1rep_len = 1;
		outbuf->asn1rep = buf;

		return(_asn1_x509_read_asn1_object(buf_p, buflen, args));
	}

	if (buflen == 0) {
		return(-1);
	}

	small_object_size = *buf_p;
	buf_p++;
	buflen--;
	if (buflen == 0) {
		return(-1);
	}

	if ((small_object_size & 0x80) == 0x80) {
		outbuf->size = 0;

		for (small_object_size ^= 0x80; small_object_size; small_object_size--) {
			outbuf->size <<= 8;
			outbuf->size += *buf_p;

			buf_p++;
			buflen--;

			if (buflen == 0) {
				break;
			}
		}
	} else {
		outbuf->size = small_object_size;
	}

	if (outbuf->size > buflen) {
		return(-1);
	}

	if (buflen != 0) {
	outbuf->contents = buf_p;
		outbuf->contents = buf_p;
	}

	outbuf->asn1rep_len = outbuf->size + (buf_p - buf);
	outbuf->asn1rep = buf;

	buf_p += outbuf->size;
	buflen -= outbuf->size;

	return(_asn1_x509_read_asn1_object(buf_p, buflen, args));